cbcvebase.
CVE-2021-46360
published 2022-02-09

CVE-2021-46360: Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.18%
94.7th percentile
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Affected

1 ranges
VendorProductVersion rangeFixed in
ocproductscomposr<= 10.0.39

Detection & IOCsextracted from sources · hover to see the quote

url/adminzone/index.php?page=admin-commandr
path/adminzone/index.php?page=admin-commandr
path/data/commandr.php
path/uploads/filedump/
path/uploads/filedump/php-reverse-shell.php
cookiecommandr_dir=L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D
commandcommand=rm .htaccess
  • Detect POST requests to /data/commandr.php containing '_data=command=' in the body, indicating abuse of the Commandr file manager to execute OS commands.
  • Alert on POST requests to /data/commandr.php with body containing 'command=rm .htaccess', which is the first stage of the exploit to remove upload protection.
  • Monitor for GET requests to /uploads/filedump/*.php — a PHP file uploaded to this path indicates successful webshell placement via the file/media library.
  • Detect the presence of the 'commandr_dir' cookie with a base64-decoded value pointing to /raw/uploads/filedump/ in requests to the admin zone, indicating attacker session setup.
  • Spawned shell process running as uid=1 (daemon) from a web server context is a strong post-exploitation indicator for this CVE.
  • ·Session-related values (PHPSESSID, cms_session, keep_session, csrf_token) are dynamic and will differ per exploitation attempt; do not use the sample values as static IOCs.
  • ·The exploit requires prior authentication; detections should account for an authenticated session before the malicious POST to commandr.php occurs.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.